Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 5.10.1
-
Component/s: Client Interface, Staff Interface
-
Labels:None
Description
When a password reset form is filled out, a record is added to password_resets table. password_resets.date_expires seems to be timezone+Blesta.reset_password_ttl (from config/blesta.php and timezone from Settings > General > Localization). Shouldn't this be UTC?
However, it appears that the link is already expired when generated, depending on the timezone set under Settings > System > Localization. So, the TTL is actually longer for some, and expired for others.
To reproduce, set the timezone to UTC-7 (Los Angeles), generate a password reset. Note that the time stored in password_resets.date_expires is Los Angeles time + 4 hours, which is in the past if evaluated in UTC time.
I think the date_expires is set in local timezone, and evaluated in UTC. Rather, we should set it and evaluate it in UTC.
